When Dictionaries Attack: How Hackers Use Dictionaries to Guess Passwords

It seems like there’s always a new story on millions of passwords being hacked. Each attack feels personal, especially if you’re one of the many people that has one password across several sites, whether it’s Facebook or LinkedIn, e-mail or a bank account. And since one way hackers fish out passwords is by using a dictionary attack (a name that brings shame to the honorable profession of lexicography), we’re always on high alert here. What is a dictionary attack? How can a benign book of meanings be used to uncover passwords?

With a smart algorithm and a dictionary, hackers are finding it surprisingly easy to guess passwords. And we have no one to blame but ourselves. In a recent study at Cambridge University, computer scientist Joseph Bonnea analyzed 70 million passwords from Yahoo! users. (Don’t worry, he didn’t steal them. The passwords were separated from their usernames.) Bonnea used the passwords to test possible hacking attempts. He found that using the 1,000 most common words in the dictionary an algorithm could correctly guess the passwords of up to 10% of the users. Turns out that many of us choose passwords that are relatively easy to remember and based on common words, and hackers can guess your password using a database of words (usually a dictionary of some sort).

So what should you do to protect your online accounts? Google recommends that you use an unusual string of letters. You could try an abbreviation of your favorite song lyric or your parents’ and siblings’ initials. Google uses the example of the famous line from Hamlet: To be or not to be that is the question. It can abbreviated as 2bon2btitq. It would be hard to find that string of letters anywhere else, which makes it almost impossible to hack into.

We aspire to reclaim the power of the dictionary for the protection of online safety. Here’s one answer to those hackers who sully the reputation of the dictionary: use really unusual words with rare letter combinations that are easier to remember than an incomprehensible string—and can have funny meanings. Here are a few of our favorite picks:cacoethesdactyllitotesquidnunczyzzyva

What do you think of using the dictionary as a hacking tool? Will you change your password to something more challenging?